@smilintux/skcapstone 0.6.1 → 0.6.3

package/src/skcapstone/pillars/identity.py

@@ -9,16 +9,22 @@ from __future__ import annotations
 
 import json
 import logging
-import subprocess
 from datetime import datetime, timezone
+from shutil import copyfile
 from pathlib import Path
 from typing import Optional
 
 from ..models import IdentityState, PillarStatus
+from ..operator_link import create_operator_attestation
 
 logger = logging.getLogger("skcapstone.identity")
 
 
+def _capauth_home(home: Path) -> Path:
+    """Return the agent-local CapAuth home for an SKCapstone agent."""
+    return home / "capauth"
+
+
 def generate_identity(
     home: Path,
     name: str,
@@ -47,10 +53,14 @@ def generate_identity(
         status=PillarStatus.DEGRADED,
     )
 
-    capauth_state = _try_init_capauth(name, state.email, identity_dir)
+    capauth_home = _capauth_home(home)
+    capauth_state = _try_init_capauth(name, state.email, identity_dir, capauth_home)
     if capauth_state is not None:
         state.fingerprint = capauth_state.fingerprint
         state.key_path = capauth_state.key_path
+        state.name = capauth_state.name
+        state.email = capauth_state.email
+        state.created_at = capauth_state.created_at
         state.status = PillarStatus.ACTIVE
     else:
         state.fingerprint = _generate_placeholder_fingerprint(name)
@@ -63,18 +73,39 @@ def generate_identity(
         "created_at": state.created_at.isoformat() if state.created_at else None,
         "capauth_managed": state.status == PillarStatus.ACTIVE,
     }
+    if state.key_path is not None:
+        identity_manifest["public_key_path"] = str(state.key_path)
+    if state.status == PillarStatus.ACTIVE:
+        identity_manifest["capauth_home"] = str(capauth_home)
+
+        attestation = create_operator_attestation(
+            agent_name=state.name or name,
+            agent_fingerprint=state.fingerprint or "",
+            agent_public_key_path=state.key_path or (capauth_home / "identity" / "public.asc"),
+            output_dir=identity_dir,
+        )
+        if attestation is not None:
+            payload = attestation.get("payload", {})
+            identity_manifest["operator_attestation_path"] = str(
+                identity_dir / "operator-attestation.json"
+            )
+            identity_manifest["operator_attested_by"] = payload.get("operator_fingerprint")
+
     (identity_dir / "identity.json").write_text(json.dumps(identity_manifest, indent=2), encoding="utf-8")
 
     return state
 
 
 def _try_init_capauth(
-    name: str, email: str, identity_dir: Path
+    name: str,
+    email: str,
+    identity_dir: Path,
+    capauth_home: Path,
 ) -> Optional[IdentityState]:
     """Try to create or load a real CapAuth identity.
 
     Attempts (in order):
-    1. Load an existing CapAuth profile from ~/.capauth/
+    1. Load an existing CapAuth profile from the agent-local CapAuth home
     2. Create a new profile via capauth.profile.init_profile()
     3. Fall back to legacy capauth.keys.generate_keypair()
 
@@ -90,12 +121,17 @@ def _try_init_capauth(
     try:
         from capauth.profile import load_profile  # type: ignore[import-untyped]
 
-        profile = load_profile()
+        profile = load_profile(base_dir=capauth_home)
+        key_path = Path(profile.key_info.public_key_path)
+        legacy_key_path = identity_dir / "agent.pub"
+        if key_path.exists() and not legacy_key_path.exists():
+            copyfile(key_path, legacy_key_path)
         return IdentityState(
             fingerprint=profile.key_info.fingerprint,
-            key_path=Path(profile.key_info.public_key_path),
+            key_path=key_path,
             name=profile.entity.name,
             email=profile.entity.email,
+            created_at=profile.key_info.created,
             status=PillarStatus.ACTIVE,
         )
     except ImportError:
@@ -105,18 +141,26 @@ def _try_init_capauth(
 
     # No existing profile — try creating one
     try:
+        from capauth.models import EntityType  # type: ignore[import-untyped]
         from capauth.profile import init_profile  # type: ignore[import-untyped]
 
         profile = init_profile(
             name=name,
             email=email,
             passphrase="",
+            entity_type=EntityType.AI,
+            base_dir=capauth_home,
         )
+        key_path = Path(profile.key_info.public_key_path)
+        legacy_key_path = identity_dir / "agent.pub"
+        if key_path.exists():
+            copyfile(key_path, legacy_key_path)
         return IdentityState(
             fingerprint=profile.key_info.fingerprint,
-            key_path=Path(profile.key_info.public_key_path),
+            key_path=key_path,
             name=profile.entity.name,
             email=profile.entity.email,
+            created_at=profile.key_info.created,
             status=PillarStatus.ACTIVE,
         )
     except Exception as exc:

package/src/skcapstone/pillars/memory.py

@@ -11,9 +11,11 @@ store/search/recall/list/gc capabilities. The optional external
 
 from __future__ import annotations
 
+import os
 from pathlib import Path
 from typing import Optional
 
+from .. import active_agent_name
 from ..models import MemoryLayer, MemoryState, PillarStatus
 
 
@@ -31,9 +33,13 @@ def initialize_memory(home: Path, memory_home: Optional[Path] = None) -> MemoryS
     Returns:
         MemoryState after initialization.
     """
-    # Use agent-specific memory directory
-    agent_name = os.environ.get("SKCAPSTONE_AGENT", "lumina")
-    memory_dir = home / "agents" / agent_name / "memory"
+    agent_name = os.environ.get("SKCAPSTONE_AGENT") or active_agent_name()
+    if home.parent.name == "agents":
+        memory_dir = home / "memory"
+    elif agent_name:
+        memory_dir = home / "agents" / agent_name / "memory"
+    else:
+        memory_dir = home / "memory"
     memory_dir.mkdir(parents=True, exist_ok=True)
 
     for layer in MemoryLayer:

package/src/skcapstone/runtime.py

@@ -94,10 +94,14 @@ class AgentRuntime:
         logger.info("Awakening agent from %s (shared: %s)", self.home, self.shared_root)
 
         manifest_file = self.home / "manifest.json"
+        manifest_name_loaded = False
         if manifest_file.exists():
             try:
                 data = json.loads(manifest_file.read_text(encoding="utf-8"))
-                self.manifest.name = data.get("name", self.manifest.name)
+                manifest_name = data.get("name")
+                if manifest_name:
+                    self.manifest.name = manifest_name
+                    manifest_name_loaded = True
                 if data.get("created_at"):
                     self.manifest.created_at = datetime.fromisoformat(data["created_at"])
                 connectors_data = data.get("connectors", [])
@@ -105,8 +109,6 @@ class AgentRuntime:
             except (json.JSONDecodeError, ValueError) as exc:
                 logger.warning("Failed to load manifest: %s", exc)
 
-        self.manifest.name = self.config.agent_name
-
         # Discover pillars from per-agent home
         pillars = discover_all(self.home, shared_root=self.shared_root)
         self.manifest.identity = pillars["identity"]
@@ -117,6 +119,14 @@ class AgentRuntime:
         self.manifest.sync = pillars["sync"]
         self.manifest.skills = pillars["skills"]
 
+        if (
+            self.manifest.identity.name
+            and self.manifest.identity.status == PillarStatus.ACTIVE
+        ):
+            self.manifest.name = self.manifest.identity.name
+        elif not manifest_name_loaded and self.config.agent_name:
+            self.manifest.name = self.config.agent_name
+
         self.manifest.last_awakened = datetime.now(timezone.utc)
         self._awakened = True
 

package/src/skcapstone/service_health.py

@@ -32,6 +32,10 @@ logger = logging.getLogger("skcapstone.service_health")
 # Default timeout per service check (seconds).
 CHECK_TIMEOUT = 3
 
+# Hostname tag for multi-machine dedup — prevents Syncthing conflicts when
+# multiple daemons write to the same ITIL incident files.
+_HOSTNAME = socket.gethostname()
+
 
 # ---------------------------------------------------------------------------
 # Individual service checks
@@ -218,18 +222,23 @@ def _create_incident_for_down_service(service_result: dict[str, Any]) -> None:
         from .itil import ITILManager
 
         svc_name = service_result["name"]
+        error_info = service_result.get("error") or "unreachable"
         mgr = ITILManager(os.path.expanduser(SHARED_ROOT))
 
         # Dedup: skip if there's already an open incident for this service
         existing = mgr.find_open_incident_for_service(svc_name)
         if existing:
-            logger.debug(
-                "Skipping incident creation for %s — open incident %s exists",
-                svc_name, existing.id,
-            )
+            # Only add a "still down" note if this host hasn't noted it recently
+            last_notes = [e.get("note", "") for e in (existing.timeline or [])[-3:]]
+            host_tag = f"[{_HOSTNAME}]"
+            if any(host_tag in n and "still down" in n for n in last_notes):
+                logger.debug("Skipping duplicate down note for %s from %s", svc_name, _HOSTNAME)
+            else:
+                mgr.update_incident(
+                    existing.id, "service_health",
+                    note=f"[{_HOSTNAME}] Service {svc_name} still down: {error_info}",
+                )
             return
-
-        error_info = service_result.get("error") or "unreachable"
         mgr.create_incident(
             title=f"{svc_name} down",
             severity="sev3",
@@ -267,10 +276,14 @@ def _auto_resolve_recovered_service(service_result: dict[str, Any]) -> None:
             logger.info("Auto-resolved sev4 incident %s for recovered service %s",
                         existing.id, svc_name)
         else:
-            mgr.update_incident(
-                existing.id, "service_health",
-                note=f"Service {svc_name} appears to be back up",
-            )
+            # Skip if this host already noted recovery recently
+            last_notes = [e.get("note", "") for e in (existing.timeline or [])[-3:]]
+            host_tag = f"[{_HOSTNAME}]"
+            if not any(host_tag in n and "back up" in n for n in last_notes):
+                mgr.update_incident(
+                    existing.id, "service_health",
+                    note=f"[{_HOSTNAME}] Service {svc_name} appears to be back up",
+                )
     except Exception as exc:
         logger.debug("Failed to auto-resolve incident for %s: %s",
                       service_result.get("name"), exc)

package/src/skcapstone/session_briefing.py

@@ -0,0 +1,108 @@
+"""Session briefing helpers for SKCapstone startup flows."""
+
+from __future__ import annotations
+
+import json
+import os
+import subprocess
+import sys
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any
+
+from .context_loader import format_text, gather_context
+
+
+DEFAULT_HAMMERTIME_ROOT = Path("/mnt/cloud/onedrive/projects/DAVE AI/hammerTime")
+
+
+def _resolve_hammertime_root() -> Path:
+    """Resolve the HammerTime workspace root."""
+    return Path(os.environ.get("HAMMERTIME_ROOT", DEFAULT_HAMMERTIME_ROOT)).expanduser()
+
+
+def load_hammertime_briefing(
+    *,
+    python_bin: str | None = None,
+    root: Path | None = None,
+) -> dict[str, Any] | None:
+    """Load the HammerTime case briefing if the repo is available."""
+    if os.environ.get("SK_INCLUDE_HAMMERTIME_BRIEFING", "1") == "0":
+        return None
+
+    hammer_root = root or _resolve_hammertime_root()
+    script = hammer_root / "scripts" / "case-briefing.py"
+    if not script.exists():
+        return None
+
+    try:
+        completed = subprocess.run(
+            [python_bin or sys.executable, str(script)],
+            check=True,
+            capture_output=True,
+            text=True,
+        )
+    except (OSError, subprocess.CalledProcessError):
+        return None
+
+    try:
+        payload = json.loads(completed.stdout)
+    except json.JSONDecodeError:
+        return None
+    return payload if isinstance(payload, dict) else None
+
+
+def build_session_briefing(
+    home: Path,
+    *,
+    memory_limit: int = 10,
+    python_bin: str | None = None,
+) -> dict[str, Any]:
+    """Build a native session briefing payload."""
+    return {
+        "generated_at": datetime.now(timezone.utc).isoformat(),
+        "agent_home": str(home),
+        "skcapstone_context": gather_context(home, memory_limit=memory_limit),
+        "hammertime_briefing": load_hammertime_briefing(python_bin=python_bin),
+    }
+
+
+def format_session_briefing_text(payload: dict[str, Any]) -> str:
+    """Render a human-readable session briefing."""
+    lines = [
+        "# SKCapstone Session Briefing",
+        "",
+        f"generated_at={payload.get('generated_at')}",
+        f"agent_home={payload.get('agent_home')}",
+        "",
+        "## skcapstone context",
+        format_text(payload["skcapstone_context"]).rstrip(),
+    ]
+
+    briefing = payload.get("hammertime_briefing")
+    if briefing:
+        top = briefing.get("top_priority") or {}
+        lines.extend(
+            [
+                "",
+                "## hammertime briefing",
+                f"- alert_count: {briefing.get('alert_count', 0)}",
+                f"- queue_size: {briefing.get('summary', {}).get('queue_size', 0)}",
+            ]
+        )
+        if top:
+            lines.extend(
+                [
+                    f"- do_this_now_incident: {top.get('incident_id')} ({top.get('problem_slug')})",
+                    f"- do_this_now_action: {top.get('action')}",
+                    f"- do_this_now_status: {top.get('status')}",
+                ]
+            )
+        for item in (briefing.get("focus_items") or [])[:3]:
+            lines.append(
+                f"- focus: {item.get('incident_id')} -> {item.get('action')} [{item.get('status')}]"
+            )
+    else:
+        lines.extend(["", "## hammertime briefing", "- unavailable"])
+
+    return "\n".join(lines).rstrip() + "\n"

package/src/skcapstone/trust_graph.py

@@ -117,6 +117,8 @@ def build_trust_graph(home: Path) -> TrustGraph:
 
 def _add_self_node(home: Path, graph: TrustGraph) -> None:
     """Add the local agent as the central node."""
+    manifest_data: dict[str, Any] = {}
+
     identity_file = home / "identity" / "identity.json"
     if identity_file.exists():
         try:
@@ -130,20 +132,53 @@ def _add_self_node(home: Path, graph: TrustGraph) -> None:
                 fingerprint=data.get("fingerprint"),
                 metadata={"capauth_managed": data.get("capauth_managed", False)},
             ))
-            return
         except (json.JSONDecodeError, OSError):
             pass
 
     manifest = home / "manifest.json"
     if manifest.exists():
         try:
-            data = json.loads(manifest.read_text(encoding="utf-8"))
-            name = data.get("name", "self")
-            graph.agent_name = name
-            graph.add_node(TrustNode(id=name, label=name, node_type="agent"))
+            manifest_data = json.loads(manifest.read_text(encoding="utf-8"))
+            if not graph.nodes:
+                name = manifest_data.get("name", "self")
+                graph.agent_name = name
+                graph.add_node(TrustNode(id=name, label=name, node_type="agent"))
         except (json.JSONDecodeError, OSError):
             pass
 
+    _add_operator_edge(manifest_data, graph)
+
+
+def _add_operator_edge(manifest_data: dict[str, Any], graph: TrustGraph) -> None:
+    """Add an explicit human-operator relationship from manifest metadata."""
+    operator = manifest_data.get("operator")
+    if not isinstance(operator, dict):
+        return
+
+    name = str(operator.get("name", "")).strip()
+    if not name or not graph.agent_name:
+        return
+
+    node_id = str(operator.get("fingerprint", "")).strip() or f"operator:{name}"
+    graph.add_node(TrustNode(
+        id=node_id,
+        label=name,
+        node_type="peer",
+        fingerprint=str(operator.get("fingerprint", "")).strip() or None,
+        metadata={
+            "relationship": operator.get("relationship", "human-operator"),
+            "entity_type": operator.get("entity_type", "human"),
+            "source": operator.get("source", "manifest"),
+        },
+    ))
+    graph.add_edge(TrustEdge(
+        source=graph.agent_name,
+        target=node_id,
+        edge_type="operator",
+        label=operator.get("relationship", "human-operator"),
+        strength=1.0,
+    ))
+
 
 def _add_token_edges(home: Path, graph: TrustGraph) -> None:
     """Add edges from capability token issuance (issuer trusts subject)."""

package/src/skcapstone/unified_search.py

@@ -15,6 +15,7 @@ from __future__ import annotations
 
 import json
 import logging
+import os
 import re
 from dataclasses import dataclass, field
 from datetime import datetime, timezone
@@ -140,8 +141,16 @@ def _search_memories(
         List of SearchResult objects from the memory store.
     """
     results: list[SearchResult] = []
-    agent_name = os.environ.get("SKCAPSTONE_AGENT", "lumina")
-    mem_dir = home / "agents" / agent_name / "memory"
+    from . import active_agent_name
+
+    agent_name = os.environ.get("SKCAPSTONE_AGENT") or active_agent_name()
+    if home.parent.name == "agents":
+        # home is already an agent-specific dir (e.g. ~/.skcapstone/agents/lumina)
+        mem_dir = home / "memory"
+    elif agent_name:
+        mem_dir = home / "agents" / agent_name / "memory"
+    else:
+        mem_dir = home / "memory"
     if not mem_dir.exists():
         return results
 

package/systemd/skcapstone.service

@@ -16,20 +16,18 @@ MemoryMax=4G
 # Keep Ollama models warm for 5 minutes between requests
 Environment=PYTHONUNBUFFERED=1
 Environment=OLLAMA_KEEP_ALIVE=5m
+Environment=SKAGENT=lumina
 Environment=SKCAPSTONE_AGENT=lumina
+Environment=SKMEMORY_AGENT=lumina
 # Journal logging
 StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=skcapstone
 
-# Security hardening
+# Security hardening (relaxed — ProtectHome=read-only breaks if any
+# ReadWritePaths dir is missing on the host)
 NoNewPrivileges=true
-ProtectSystem=strict
-ProtectHome=read-only
-ReadWritePaths=%h/.skcapstone %h/.skenv %h/.capauth %h/.cloud9 %h/.skcomm %h/.skchat
 PrivateTmp=true
-ProtectKernelTunables=true
-ProtectControlGroups=true
 
 [Install]
 WantedBy=default.target

package/systemd/skcapstone@.service

@@ -20,8 +20,8 @@ Wants=network-online.target
 
 [Service]
 Type=notify
-ExecStart=skcapstone daemon start --agent %i --foreground
-ExecStop=skcapstone daemon stop --agent %i
+ExecStart=%h/.skenv/bin/skcapstone daemon start --agent %i --foreground
+ExecStop=%h/.skenv/bin/skcapstone daemon stop --agent %i
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=on-failure
 RestartSec=10
@@ -31,20 +31,19 @@ WatchdogSec=300
 # resolve the correct per-agent home even before the CLI flag is processed.
 Environment=PYTHONUNBUFFERED=1
 Environment=OLLAMA_KEEP_ALIVE=5m
+Environment=SKAGENT=%i
 Environment=SKCAPSTONE_AGENT=%i
+Environment=SKMEMORY_AGENT=%i
+Environment=PATH=%h/.skenv/bin:/usr/local/bin:/usr/bin:/bin
 # Journal logging — logs appear under skcapstone@<instance>
 StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=skcapstone@%i
 
-# Security hardening (same as single-agent unit)
+# Security hardening (relaxed — ProtectHome=read-only breaks if any
+# ReadWritePaths dir is missing on the host)
 NoNewPrivileges=true
-ProtectSystem=strict
-ProtectHome=read-only
-ReadWritePaths=%h/.skcapstone %h/.skmemory %h/.capauth %h/.cloud9 %h/.skcomm %h/.skchat
 PrivateTmp=true
-ProtectKernelTunables=true
-ProtectControlGroups=true
 
 [Install]
 WantedBy=default.target

package/systemd/skcomm-heartbeat.service

@@ -5,8 +5,8 @@ After=network-online.target
 
 [Service]
 Type=oneshot
-ExecStart=skcomm heartbeat --no-emit
-ExecStart=skcomm heartbeat
+ExecStart=%h/.skenv/bin/skcomm heartbeat --no-emit
+ExecStart=%h/.skenv/bin/skcomm heartbeat
 Nice=19
 
 NoNewPrivileges=true
@@ -16,3 +16,6 @@ ReadWritePaths=%h/.skcapstone %h/.skcomm
 PrivateTmp=true
 
 Environment=PYTHONUNBUFFERED=1
+Environment=SKAGENT=lumina
+Environment=SKCAPSTONE_AGENT=lumina
+Environment=PATH=%h/.skenv/bin:/usr/local/bin:/usr/bin:/bin

package/tests/conftest.py

@@ -19,6 +19,27 @@ from pathlib import Path
 import pytest
 
 
+@pytest.fixture(autouse=True)
+def _isolate_agent_env(monkeypatch):
+    """Prevent host SKCAPSTONE_AGENT / SKMEMORY_AGENT from leaking into unit tests.
+
+    The profile-aware runtime reads both the env var and the module-level
+    skcapstone.SKCAPSTONE_AGENT (set at import time).  We clear both so that
+    _memory_dir() falls back to the flat "home/memory" layout expected by
+    tests that use the tmp_agent_home fixture.
+    Tests that need a specific agent should override explicitly via monkeypatch.
+    """
+    monkeypatch.delenv("SKCAPSTONE_AGENT", raising=False)
+    monkeypatch.delenv("SKMEMORY_AGENT", raising=False)
+    import skcapstone
+    monkeypatch.setattr(skcapstone, "SKCAPSTONE_AGENT", "")
+    # _detect_active_agent() scans ~/.skcapstone/agents/ even when the env var
+    # is cleared, returning a real agent name that routes memory writes to the
+    # wrong directory.  Stub it out so tests using tmp directories get the flat
+    # "home/memory" layout they expect.
+    monkeypatch.setattr(skcapstone, "_detect_active_agent", lambda root=None: None)
+
+
 @pytest.fixture
 def tmp_agent_home(tmp_path: Path) -> Path:
     """Provide a temporary agent home directory for testing."""

package/tests/test_agent_home_scaffold.py

@@ -0,0 +1,34 @@
+"""Tests for fresh agent-home scaffolding."""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+from unittest.mock import patch
+
+from skcapstone.migrate_multi_agent import create_agent_home
+
+
+class TestCreateAgentHome:
+    def test_manifest_includes_human_operator_when_available(self, tmp_path: Path):
+        """New agent homes persist the linked human operator in manifest.json."""
+        with patch(
+            "skcapstone.migrate_multi_agent.discover_human_operator",
+            return_value={"name": "Casey", "fingerprint": "FP123", "relationship": "human-operator"},
+        ):
+            result = create_agent_home(tmp_path, "teddy")
+
+        manifest = json.loads((tmp_path / "agents" / "teddy" / "manifest.json").read_text())
+        assert result["agent_name"] == "teddy"
+        assert manifest["name"] == "teddy"
+        assert manifest["operator"]["name"] == "Casey"
+        assert manifest["operator"]["fingerprint"] == "FP123"
+
+    def test_manifest_omits_operator_when_none_available(self, tmp_path: Path):
+        """New agent homes still create a valid manifest when no operator exists yet."""
+        with patch("skcapstone.migrate_multi_agent.discover_human_operator", return_value=None):
+            create_agent_home(tmp_path, "lumina")
+
+        manifest = json.loads((tmp_path / "agents" / "lumina" / "manifest.json").read_text())
+        assert manifest["name"] == "lumina"
+        assert "operator" not in manifest

package/tests/test_backup.py

@@ -237,7 +237,8 @@ class TestBackupManifest:
     def test_manifest_defaults(self) -> None:
         """Manifest has sensible defaults."""
         m = BackupManifest()
-        assert m.version == "0.9.0"
+        import skcapstone
+        assert m.version == skcapstone.__version__
         assert m.files == {}
         assert m.total_size == 0